Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Page's title should be encoded or filtering html entities/javascript code #271

Closed
kuqadk3 opened this issue May 30, 2019 · 6 comments
Closed
Assignees
Labels
Milestone

Comments

@kuqadk3
Copy link

kuqadk3 commented May 30, 2019

I was testing on :

  • Wordpress 5.2.1
  • WP Statistic 12.6.5

Account with Editor role can create Post with Title that contain javascript/html. For example :

<script>alert(document.cookie)</script>

image

WP statistics page that use these title will got affected for xss attack, for example : overviews, pages,...

image

Even if the Editor delete the Post, but it still remain in top 10 page that got most hit, the Overviews page still be affected. So in reality, attacker that controls the Editor account can create page with title that contains maclious javascript code that steal admin cookie (for example), visit it a lot that make it be in top 10 page most visited, delete the post so admin wont notice the weird post that have javascript in title. And when admin click on Overviews page of WP Statistic, his cookie will be stolen.

@mehrshaddarzi mehrshaddarzi self-assigned this May 30, 2019
@mehrshaddarzi mehrshaddarzi added this to the 12.7 milestone May 30, 2019
@mehrshaddarzi
Copy link
Collaborator

Hi @kuqadk3
Please change this Line :

'title' => get_the_title( $page_id ),

to

'title' => esc_html( get_the_title( $page_id ) ),

and tell me feedback.

@kuqadk3
Copy link
Author

kuqadk3 commented May 30, 2019

WoW. Nice. Quick fix.

That fix the xss in Overview and Pages.

Categories and Author is also affected and still affected. Sorry for not mention them in first place.

@kuqadk3
Copy link
Author

kuqadk3 commented May 30, 2019

I think we need to esc_html all those that do $post_obj->post_title

https://github.com/wp-statistics/wp-statistics/search?utf8=%E2%9C%93&q=%24post_obj-%3Epost_title&type=

@mehrshaddarzi
Copy link
Collaborator

@kuqadk3
Yes.
We Fixed This issue for next Version.
Thanks a lot.

@ethicalhack3r
Copy link

Hi! Ryan from wpvulndb.com here.

Do you know when the next version will be released which includes this patch?

We'd like to add the vulnerability to our database, but would prefer to do so once it has been patched.

Thanks!

@mostafasoufi
Copy link
Member

Hi @ethicalhack3r,

The new version will be released until Friday.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants